1f381c272SMimi Zohar# 2f381c272SMimi Zoharconfig INTEGRITY 3f381c272SMimi Zohar def_bool y 466dbc325SMimi Zohar depends on IMA || EVM 5f381c272SMimi Zohar 6f1be242cSDmitry Kasatkinconfig INTEGRITY_SIGNATURE 78607c501SDmitry Kasatkin boolean "Digital signature verification using multiple keyrings" 8de353533SDmitry Kasatkin depends on INTEGRITY && KEYS 98607c501SDmitry Kasatkin default n 105e8898e9SDmitry Kasatkin select SIGNATURE 118607c501SDmitry Kasatkin help 128607c501SDmitry Kasatkin This option enables digital signature verification support 138607c501SDmitry Kasatkin using multiple keyrings. It defines separate keyrings for each 148607c501SDmitry Kasatkin of the different use cases - evm, ima, and modules. 158607c501SDmitry Kasatkin Different keyrings improves search performance, but also allow 168607c501SDmitry Kasatkin to "lock" certain keyring to prevent adding new keys. 178607c501SDmitry Kasatkin This is useful for evm and module keyrings, when keys are 188607c501SDmitry Kasatkin usually only added from initramfs. 198607c501SDmitry Kasatkin 20*1ae8f41cSDmitry Kasatkinconfig INTEGRITY_ASYMMETRIC_KEYS 21*1ae8f41cSDmitry Kasatkin boolean "Enable asymmetric keys support" 22*1ae8f41cSDmitry Kasatkin depends on INTEGRITY_SIGNATURE 23*1ae8f41cSDmitry Kasatkin default n 24*1ae8f41cSDmitry Kasatkin select ASYMMETRIC_KEY_TYPE 25*1ae8f41cSDmitry Kasatkin select ASYMMETRIC_PUBLIC_KEY_SUBTYPE 26*1ae8f41cSDmitry Kasatkin select PUBLIC_KEY_ALGO_RSA 27*1ae8f41cSDmitry Kasatkin select X509_CERTIFICATE_PARSER 28*1ae8f41cSDmitry Kasatkin help 29*1ae8f41cSDmitry Kasatkin This option enables digital signature verification using 30*1ae8f41cSDmitry Kasatkin asymmetric keys. 31*1ae8f41cSDmitry Kasatkin 32d726d8d7SMimi Zoharconfig INTEGRITY_AUDIT 33d726d8d7SMimi Zohar bool "Enables integrity auditing support " 34d726d8d7SMimi Zohar depends on INTEGRITY && AUDIT 35d726d8d7SMimi Zohar default y 36d726d8d7SMimi Zohar help 37d726d8d7SMimi Zohar In addition to enabling integrity auditing support, this 38d726d8d7SMimi Zohar option adds a kernel parameter 'integrity_audit', which 39d726d8d7SMimi Zohar controls the level of integrity auditing messages. 40d726d8d7SMimi Zohar 0 - basic integrity auditing messages (default) 41d726d8d7SMimi Zohar 1 - additional integrity auditing messages 42d726d8d7SMimi Zohar 43d726d8d7SMimi Zohar Additional informational integrity auditing messages would 44d726d8d7SMimi Zohar be enabled by specifying 'integrity_audit=1' on the kernel 45d726d8d7SMimi Zohar command line. 46d726d8d7SMimi Zohar 47f381c272SMimi Zoharsource security/integrity/ima/Kconfig 4866dbc325SMimi Zoharsource security/integrity/evm/Kconfig 49